06 July 2017

The Glory That Is the Free Market

As you are no doubt aware, Apple has locked down its iPhone platform something fierce.

Among other things, it makes security research much more difficult, which makes bugs a rare commodity in the Apple security community.

Of course, under the laws of supply and demand, it means that the price of the bugs would increase, which means that Apples iPhone bug bounty program has no takers, because it's not enough money:
For now, security researchers who have been invited by Apple to submit high-value bugs through the program prefer to keep the bugs for themselves.

In August 2016, Apple's head of security Ivan Krstic stole the show at one of the biggest security conferences in the world with an unexpected announcement.

"I wanna share some news with you," Krstic said at the Black Hat conference, before announcing that Apple was finally launching a bug bounty program to reward friendly hackers who report bugs to the company.

The crowd erupted in enthusiastic applause. But almost a year later, the long-awaited program appears to be struggling to take off, with no public evidence that hackers have claimed any bug bounties.

 The iPhone's security is so tight that it's hard to find any flaws at all, which leads to sky-high prices for bugs on the grey market. Researchers I spoke to are reluctant to report bugs both because they are so valuable and because reporting some bugs may actually prevent them from doing more research.

"People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."

Patrick Wardle, a former NSA hacker and researcher at Synack who now specializes in MacOS research and was invited to the Apple bug bounty program, agreed. He said that iOS bugs are "too valuable to report to Apple."


But it's not just about the immediate reward. iOS is such a complex, locked-down, and secure operating system that simply to inspect and do research on it, one needs multiple, unpatched, zero-day bugs, perhaps even a full-fledged jailbreak, according to researchers. In other words, you need unknown bugs just to find bugs in other parts of the operating system that might be otherwise locked.

That's why some prefer to keep their bugs and continue doing research rather than handicapping themselves for a reward of few thousand dollars.

"Nobody is going to kill bugs unless they're fucking dumb," Luca Todesco, a well-known iPhone jailbreaker, told me a few months ago. "Just because they will kill their own future […] If I kill my own bugs then I'm not able to do my own research."


While the researchers were visiting Cupertino, they asked Apple's security team for special iPhones that don't have certain restrictions so it's easier to hack them, according to multiple people who attended the meeting. These devices would have some security features, such as sandboxing, disabled in order to allow the researchers to continue doing their work. One researcher described them as "developer devices."

But Apple, for now, isn't willing to provide those special devices, according to three researchers who recounted the exchange.

These bugs actually have a legal market, helping law enforcement breaking into phones, as well as firms that sell jailbreak (which is legal) software to end users, which allows end users to evade Apple's frequently arbitrary rules on how a user might choose to use their own phones.

In any case, Apple's opacity has raised the cost of bugs to more than Apple is willing to pay.

As to whether this is a good or a bad thing, I will leave that to the reader.


Post a Comment